You are here

Researchers: Phone Tilt Could Reveal PIN

Motion sensors in smartphones could give away your lock code to hackers according to new research. But practical limitations mean related attacks might have to be specifically targeted.

Researchers at Newcastle University explored the idea that tools such as accelerometers, gyroscopes, compasses and GPS chips in phones could reveal more detail than users
realize. The tools are used for a variety of functions such as location tracking, fitness tracking and gesture control such as a user turning a phone face down to instantly switch it to "do not disturb" mode.

Their theory was that such sensors are so precise that they could pick up the slight tilt in the screen that results from a user tapping the screen in a specific location such as typing in a four digit code to unlock the phone.

App Permissions Sometimes Opaque

That's a potential risk given that, depending on the phone and operating system, it's possible for apps to get user permission to access data from the sensors, often in a confusing manner and for apps that don't have any legitimate reason to need the data. The researchers noticed that it's even possible in some cases for code on a malicious mobile website to get the data without user permission.

The researchers ran a series of tests typing in codes and then looking at the associated tilt sensor data and finding the relevant patterns. They then ran fresh tests where researchers didn't know what codes were typed in. By using the sensor data they were able to correctly guess 70 percent of the codes on the first attempt and got every code within five attempts, which is less that the number of wrong attempts allowed on most handsets. (Source:

Business Spying Most Likely Use

The good news is that because a hacker would first need to get access to the data (for example through an app or rogue site) and then physical access to the phone, it would only really be useful for targeting specific individuals such as in corporate espionage.

According to the researchers, phone and software makers could take three steps to reduce the risk. One is to fix security flaws in mobile browsers that could allow unauthorized sensor data access. Another is to actively warn the user when an app was accessing sensor data. The third is to let users to set permissions such that apps can only access sensor data when the app is on-screen and active rather than in the background. (Source: arxiv.org)

What's Your Opinion?

Had you considered this risk before? Do you pay close attention to permission
settings when you install apps? Is there anything else phone and software
companies could do to mitigate the risks?

Comments

It's time for the consumer to be able to control their phone. The user should be able to deny access to services on the phone, app by app. I'd use many more apps if I could control the permissions, but it seems the only way to control it is to not install the app.

Can the reason for such high investing valuations of some apps be the personal data they have collected and the continued access to it? Not necessarily the service they provide and ad revenue?